Automatic access verification for AOAI services to develop and run on CAPI/managed AI resources #2764
Conversation
…erification for AOAI services to develop and run on CAPI/managed AI resources
…ces using new method
…ess-verification-rebranch
…access-verification-rebranch
…access-verification-rebranch
…rganized function
christian-andersen-msft
changed the title
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AzureOpenAI.Codeunit.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAccountVerificationLog.Table.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Show resolved
Hide resolved
…uggable, Updated table name with spaces
src/System Application/App/AI/src/Azure OpenAI/AOAIAccountVerificationLog.Table.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAuthorization.Codeunit.al
Outdated
Show resolved
Hide resolved
src/System Application/App/AI/src/Azure OpenAI/AOAIAccountVerificationLog.Table.al
Outdated
Show resolved
Hide resolved
…cations, fixed minor issues with record fetching and saving
…ugging features removed.
| @@ -100,11 +100,26 @@ codeunit 7771 "Azure OpenAI" | |||
| /// Deployment would look like: gpt-35-turbo-16k | |||
| /// </remarks> | |||
| [NonDebuggable] | |||
| [Obsolete('Using Managed AI resources now requires different input parameters. Use the other overload for SetManagedResourceAuthorization instead.', '26.0')] | |||
There was a problem hiding this comment.
You also need to wrap this procedure (including docs comments) within preprocessor symbols:
#if not CLEAN26
<obsoleted procedure code>
#endif
There was a problem hiding this comment.
This will make sure our automations remove the code after the obsoletion period has passed. It's also the root cause of the failure you see in the automated tests for this PR.
| @@ -207,6 +207,21 @@ codeunit 7772 "Azure OpenAI Impl" | |||
| end; | |||
There was a problem hiding this comment.
Since you are obsoleting a function in the facade codeunit, you are leaving some code in this codeunit unused after the obsoletion period has passed.
In particular the old overload of SetManagedResourceAuthorization will not be called by anyone anymore and it should hence be removed after the obsoletion period has passed.
This codeunit is marked with access=internal, which means you don't need to explicitly obsolete the function with an [Obsolete()] tag because noone can reference this code outside of its own AL extension.
But you still need to make sure we don't leave unused code in the repos after the automations clean up the obsoleted code.
The way to do it here is to wrap the old overload of SetManagedResourceAuthorization in the tags:
#if not CLEAN26
<code for the old overload of SetManagedResourceAuthorization>
#endif
This way, when we remove the code from the other codeunit because it's wrapped in CLEAN tags (see my other comment), this will also be removed (our automations will just remove whatever is inside the CLEAN tags, there is no smartness there, so it's up to the developer to decide what to put inside these tags).
| @@ -57,6 +77,19 @@ codeunit 7767 "AOAI Authorization" | |||
| Deployment := NewDeployment; | |||
| ApiKey := NewApiKey; | |||
| ManagedResourceDeployment := NewManagedResourceDeployment; | |||
| MicrosoftManagedAuthorizationWithDeployment := true; | |||
There was a problem hiding this comment.
The other overload of SetMicrosoftManagedAuthorization is now unused after the function in the other codeunit is removed.
So you need to wrap the old overload of SetMicrosoftManagedAuthorization into
#if not CLEAN26
<old overload>
#endif
| end | ||
| else | ||
| if MicrosoftManagedAuthorizationWithDeployment then | ||
| exit(AzureOpenAiImpl.IsTenantAllowlistedForFirstPartyCopilotCalls()); |
There was a problem hiding this comment.
With this change, we are no longer checking anywhere that the variables are not empty.
I suggest we don't add the 4 new booleans at all, and instead we rely on the existence of account name or not (for example).
Example pseudo-code:
Enum::"AOAI Resource Utilization"::"Microsoft Managed":
if (AOAIAccountName <> '') and (ManagedResourceDeployment <> '') and (not ApiKey.IsEmpty()) then
exit(VerifyAOAIAccount(AOAIAccountName, ApiKey) and AzureOpenAiImpl.IsTenantAllowlistedForFirstPartyCopilotCalls())
else
exit((Deployment <> '') and (Endpoint <> '') and (not ApiKey.IsEmpty()) and (ManagedResourceDeployment <> '') and AzureOpenAiImpl.IsTenantAllowlistedForFirstPartyCopilotCalls());
You could even go one step further and make sure the old verification code is cleaned up automatically after the obsoletion period has passed
Example pseudo-code:
#if CLEAN26
Enum::"AOAI Resource Utilization"::"Microsoft Managed":
exit((AOAIAccountName <> '') and (ManagedResourceDeployment <> '') and (not ApiKey.IsEmpty()) and VerifyAOAIAccount(AOAIAccountName, ApiKey) and AzureOpenAiImpl.IsTenantAllowlistedForFirstPartyCopilotCalls());
#else
Enum::"AOAI Resource Utilization"::"Microsoft Managed":
if (AOAIAccountName <> '') and (ManagedResourceDeployment <> '') and (not ApiKey.IsEmpty()) then
exit(VerifyAOAIAccount(AOAIAccountName, ApiKey) and AzureOpenAiImpl.IsTenantAllowlistedForFirstPartyCopilotCalls())
else
exit((Deployment <> '') and (Endpoint <> '') and (not ApiKey.IsEmpty()) and (ManagedResourceDeployment <> '') and AzureOpenAiImpl.IsTenantAllowlistedForFirstPartyCopilotCalls());
#endif
| if VerificationLog.Get(TruncatedAccountName) then | ||
| RemainingGracePeriod := GracePeriod - (CurrentDateTime - VerificationLog.LastSuccessfulVerification) | ||
| else | ||
| RemainingGracePeriod := GracePeriod; |
There was a problem hiding this comment.
If there is no entry in verification log, then the remaining grace period should be 0.
It means that azure account was never verified and hence they are not entitled to grace period.
| '0000AA1', // Event ID | ||
| StrSubstNo(LogMessage, AccountName, VerificationDate), | ||
| Verbosity::Warning, | ||
| DataClassification::SystemMetadata, |
There was a problem hiding this comment.
DataClassification::CustomerContent
The account name is customer content
| // Within GRACE period | ||
| if IsAccountVerifiedWithinPeriod(TruncatedAccountName, GracePeriod) then begin | ||
| ShowUserNotification(StrSubstNo(AuthFailedWithinGracePeriodUserNotificationLbl, FormatDurationAsDays(RemainingGracePeriod))); | ||
| LogTelemetry(AccountName, Today, StrSubstNo(AuthFailedWithinGracePeriodLogMessageLbl, AccountName, Today, FormatDurationAsDays(RemainingGracePeriod))); |
There was a problem hiding this comment.
you are doing StrSubstNo inside LogTelemetry already. It seems like we don't need it here.
Fixes AB#535826